[jboss-as7-dev] Security Domain Config: JASPI vs Classic?

[Bill Burke]

On 10/4/11 10:52 AM, Darran Lofthouse wrote:
> For the loading of additional identity information for the authenticated
> user such as role information I believe JAAS still has a place and JAAS
> as a complete authentication approach works with mechanisms such as
> Plain where we have a password we want to validate but I also agree we
> have moved beyond the point where we can assume we always have
> everything in the incoming request to pass to JAAS to verify in isolation.
>

What Java EE SPI is there for authorization?  Is there even one?  In 
looking at our code, it just looks we just decided that our LoginModules 
are responsible for adding role information.

In the architecture I proposed, we just had another callback interface:

public interface RoleSetCallback {

    Principal getPrincipal();
    Set<Group> getRoleSet();
    void setRoleSet(Set<Group> set);
}

And a handler can decide whether or not it supports that interface.

Another interface we could add for AuthModules is a required callbacks 
method:

interface RequiredCallbackInterfaces {

    Class<? extends Callback> getRequiredInterfaces();

}

Then we could do some checking at deployment time to catch the case 
where an AuthModule needs a callback interface that isn't provided by 
the security domain.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com